MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad2bf8487310a468bc4e71714b81d4616d75310206c6c35e8a7cd495b7f90c22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad2bf8487310a468bc4e71714b81d4616d75310206c6c35e8a7cd495b7f90c22
SHA3-384 hash: f648b31e457e89083bcd078d51a52f9368d687fcfeb06ae8ae60e0fc0b4adee5f7e5352ce8ad7a4ef49f8de340306df3
SHA1 hash: d08470c1a7273618ec38b4814790ce97c781d843
MD5 hash: 2e063c28a91223dde3cf805bdca62576
humanhash: network-mississippi-lamp-sweet
File name:EM RUBY-Owner CTM form.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'054'720 bytes
First seen:2021-11-15 04:51:38 UTC
Last seen:2021-11-15 07:02:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:jbDY9hYoefEnEKyoi/WxhKu23BxKU0kMd2V1L5HOUsVSZpN:MzgEEK/i/WnKuAxz0CVvOUsVEp
Threatray 13'343 similar samples on MalwareBazaar
TLSH T1E725E67C7A3147A2FD1D8170AC5209F47B631F17A280699727CB35CA9BBB0F22D469C9
File icon (PE):PE icon
dhash icon 71e0c822d4cce071 (1 x AgentTesla)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205739/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Kryptik.ali2000016.18851.6386.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Running batch commands
Creating a file in the %AppData% subdirectories
Launching a process
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/6191e777dec3347825a4e1e4/reports/85f06bc9-1d43-40f2-844d-3539099d4b5b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d74029f-4dc6-429a-b0fd-335b5a28badd
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/889090
Signature
.NET source code contains very large array initializations
Binary or sample is protected by dotNetProtector
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 521563 Sample: EM RUBY-Owner CTM form.exe Startdate: 15/11/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Yara detected AgentTesla 2->43 45 .NET source code contains very large array initializations 2->45 47 4 other signatures 2->47 8 EM RUBY-Owner CTM form.exe 3 2->8         started        11 ttgf.exe 2 2->11         started        process3 signatures4 49 Injects a PE file into a foreign processes 8->49 13 EM RUBY-Owner CTM form.exe 2 8->13         started        16 cmd.exe 3 8->16         started        19 cmd.exe 1 8->19         started        51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->51 53 Machine Learning detection for dropped file 11->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->55 21 ttgf.exe 2 11->21         started        23 cmd.exe 1 11->23         started        25 cmd.exe 11->25         started        process5 file6 57 Tries to steal Mail credentials (via file / registry access) 13->57 59 Tries to harvest and steal ftp login credentials 13->59 61 Tries to harvest and steal browser information (history, passwords, etc) 13->61 37 C:\Users\user\AppData\Roaming\ttgf\ttgf.exe, PE32 16->37 dropped 39 C:\Users\user\...\ttgf.exe:Zone.Identifier, ASCII 16->39 dropped 27 conhost.exe 16->27         started        63 Uses schtasks.exe or at.exe to add and modify task schedules 19->63 29 conhost.exe 19->29         started        31 schtasks.exe 1 19->31         started        signatures7 process8 process9 33 conhost.exe 27->33         started        35 schtasks.exe 1 27->35         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ad2bf8487310a468bc4e71714b81d4616d75310206c6c35e8a7cd495b7f90c22/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-15 04:52:07 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vuv7qsdtccsgrpcoofyuxaoumfwxkmica3dmgxukptkjln7zbqra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1f68e9becd0375dae05466e372419267cff95793f673b94784b642b662729463
AgentTesla
2bff7918842a32e19021595f3276402ff1e1034130ed6dfbf4f3f11dda06a52d
AgentTesla
3146451b8705dcf7a850cea01e3e68513448d9f92212129162e8c5d80ff1020e
AgentTesla
33c6ab107de081461d6f7b67d5d120efc3dd15ba75351d9a564884d6368078fe
AgentTesla
3813d5fe541f008c96f3a0f367113a1fa3c047f08815fcd8335c4b829523ca28
AgentTesla
51bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209
AgentTesla
5a2ce470fbe1babd44df83899f5909e3dcd031bc95de5a748f473f288084de7a
AgentTesla
bac1342206103fdc88c4c3ca8b2c30d73e46781d8e40f82f1ea4064547bbb76c
AgentTesla
eb12f5ac4c8669a097af19e970c05103b43e542a4ad162401c68acef25ff8b5c
AgentTesla
+ 13'333 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211115-fhfd6aebgm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
35969c0633c9f2093c0fc82235bba50abf854579b123b1b297196fadb35d83cd
MD5 hash:
d1d17fc8b0e88d0b9e77754028538bb7
SHA1 hash:
c2754081a16b3998571d6861f99c88d5c78b3195
Link:
https://www.unpac.me/results/a0b8b64f-371d-454e-9e8c-90bd2ebbc46f/
SH256 hash:
ad2bf8487310a468bc4e71714b81d4616d75310206c6c35e8a7cd495b7f90c22
MD5 hash:
2e063c28a91223dde3cf805bdca62576
SHA1 hash:
d08470c1a7273618ec38b4814790ce97c781d843
Link:
https://www.unpac.me/results/a0b8b64f-371d-454e-9e8c-90bd2ebbc46f/
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ad2bf8487310/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205739/

Comments